Hi,Here is a thread that was started into the LV Champions forums : https://forums.ni.com/t5/LabVIEW-Champion-Discussions/Software-Feed-Security/m-p/4337693/highlight/false#M39531For the ones who do not have acces, it started when James McNally discovered that packages was served through a http (no encrytion, no security) link.I then recalled that I contacted the security team about vulnerabilities in packages exposed by the feeds in March 2022.At that time the cybersec team answered that packages would be updated soon.So I restarted my exercise today, here are my findings :------------------I just updated a LinuxRT VM today and install RT image 2023.3 on it.And I checked for the current version of the tools I spoke about earlier : pgSQL and Samba. pgSQL is now in version 13.5 => this version was released in 11/2021. So it is outdated (2 years old ; current version is 16).Samba is now in version 4.10.18 => this version was released in 09/2020. So it is outdated (3 years old ; current version is 4.19.2). Now if I look CVE details (https://www.cvedetails.com/) :This version of Samba exposes 38 vulnerabilities : https://www.cvedetails.com/version/1416898/Samba-Samba-4.10.18.htmlThis version of pgSQL exposes 6 vulnerabilities : https://www.cvedetails.com/version/1354626/Postgresql-Postgresql-13.5.html These vulnerabilities implies files access with elevated rights, code execution or data corruption.------------------How comes that in the newest image given for NI LinuxRT, packages can be that deprecated and expose that many security issues ?

Test System Security

Packages updates and security for targets running LinuxRT

Hi,
Here is a thread that was started into the LV Champions forums : https://forums.ni.com/t5/LabVIEW-Champion-Discussions/Software-Feed-Security/m-p/4337693/highlight/...

For the ones who do not have acces, it started when James McNally discovered that packages was served through a http (no encrytion, no security) link.
I then recalled that I contacted the security team about vulnerabilities in packages exposed by the feeds in March 2022.
At that time the cybersec team answered that packages would be updated soon.

So I restarted my exercise today, here are my findings :
------------------

I just updated a LinuxRT VM today and install RT image 2023.3 on it.

And I checked for the current version of the tools I spoke about earlier : pgSQL and Samba.

pgSQL is now in version 13.5 => this version was released in 11/2021. So it is outdated (2 years old ; current version is 16).

Samba is now in version 4.10.18 => this version was released in 09/2020. So it is outdated (3 years old ; current version is 4.19.2).

Now if I look CVE details (https://www.cvedetails.com/) :

This version of Samba exposes 38 vulnerabilities : https://www.cvedetails.com/version/1416898/Samba-Samba-4.10.18.html
This version of pgSQL exposes 6 vulnerabilities : https://www.cvedetails.com/version/1354626/Postgresql-Postgresql-13.5.html

These vulnerabilities implies files access with elevated rights, code execution or data corruption.
------------------

How comes that in the newest image given for NI LinuxRT, packages can be that deprecated and expose that many security issues ?

CLA, CTA, LV Champion